After a summer of multiple vacations from various team members, we’re finally ready to release Keycloak 1.0 Beta 4. There’s not a lot of new features in the release because we focused mainly on performance, creating new SPIs, refactoring code, improving usability, and lastly fixing bugs. 64 issues completed. As usually go to the main keycloak.org page to find download links and to browse our documentation, release notes, or view our screencast tutorials. Here are some of the highlights of the release:
- Server side memory cache for all UI pages.
- Cache-control settings for UI pages
- Server side cache for all backend metadata: realms, applications, and users.
- In-memory implementation for user sessions
- New Federation SPI. Gives you a lot of flexibility to federation external stores into Keycloak
- Improved LDAP/Active Directory support
- Token validation REST API
- Support for HttpServletRequest.logout()
- Lots and lots of bugs fixes and minor improvements
You should see a big performance increase with this release as everything is cachable in memory and the database can be fully bypassed.
1.0 Final is on the way!
What’s next for Keycloak? This month we will be focusing on resolving the remaining issues logged in Jira, improving our test coverage, and updating our documentation and screencasts. No new major features. We’ll have a RC release around 3rd week of August, then our first Final release 2nd week of September!
Bill the Plumber 
Aug 06, 2014 @ 10:09:36
I would like to know if Keycloak has taken over as the way to go with oAuth 2.0 on JBoss, or the Skeleton key implementation in RestEasy is still going to be maintained and developed?
I was successful in running the Skeleton key oAuth 2 examples (after updating the out-of-date certificates), but I’m really struggling to understand how the code works since its so full of hacks. I would also like to see an example of using Skeleton key with a pure JavaScript/HTML5 client. In particular I don’t understand how this would work with the signed access tokens.
Any help you can provide would be greatly appreciated.
Thanks,
Rasmus
Aug 06, 2014 @ 12:36:59
I would like to retire Skeleton key in Resteasy, not sure I can though. Some people just want to run on crappy JAAS and old Jboss login modules and role their own login screens. You are right that it is full of hacks. Much of that is because of JBoss’s ancient security API/SPIs. Much of that is because of the limitations of JAAS.
Saying that though, Keycloak has great support for pure JavaScript/HTML5. It comes with an angular JS example app that uses the Keycloak javascript adapter to secure it. How does it work? Well, the javascript adapter implements openID connect (an OAuth2 extension) and uses the access code protocol to obtain access tokens (and refresh tokens). And uses the OpenID Connect IFrame trick to check if a user is still logged in. You’d have to explain more about how you “don’t understand how this would work with the signed access tokens”.